Enumeration
Tools
SharpView: https://github.com/tevora-threat/SharpView (aggressor https://github.com/tevora-threat/PowerView3-Aggressor)
PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 (tips https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) (dev: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
ADModule: https://github.com/samratashok/ADModule (To use ActiveDirectory module without installing RSAT, we can use Import-Module for the valid ActiveDirectory module DLL)
Domain
Get Domain
Get-NetDomain
Get-NetDomain -Domain domain.local
Get Domain SID
Get-DomainSID
Get-DomainSID -Domain domain.local
Get Domain Policy
Get-DomainPolicy
(Get-DomainPolicy)."system access"
(Get-DomainPolicy –domain moneycorp.local)."system access"
Get DCs
Get-NetDomainController
Get-NetDomainController –Domain moneycorp.local
Users
Get a list of users in the current domain
Get-NetUser
Get-NetUser –Username student1
Get a list of all properties for users within domain
# Lists all properties available
Get-UserProperty
# Gets the value of a property for all users in domain
Get-UserProperty –Properties pwdlastset
Search for particular string in users attribute
Find-UserField -SearchField Description -SearchTerm "built"
Groups
Get all groups in current domain
Get-NetGroup
Get-NetGroup –Domain <targetdomain>
Get-NetGroup –FullData
Get all groups containing admin in current domain
Get-NetGroup *admin*
Get members of domain admin group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get the group membership for a user
Get-NetGroup –UserName "student1"
Computers / Sessions
Get a list of computers in current domain
Get-NetComputer
Get-NetComputer –OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
List all local groups on a machine (needs admin privs to query non-dc machines)
Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -ListGroups
List members of local groups on a machine (needs admin privs on non-dc machines)
Get-NetLocalGroup -ComputerName dcorpdc.dollarcorp.moneycorp.local -Recurse
Get actively logged on users on target (needs admin rights on target)
Get-NetLoggedon –ComputerName <servername>
Get locally logged on users on target (needs remote registry enabled (started by default on servers))
Get-LoggedonLocal -ComputerName dcorpdc.dollarcorp.moneycorp.local
Get the last logged on user on target (needs admin rights and remote registry enabled)
Get-LastLoggedOn –ComputerName <servername>
Files
Find shares on hosts in current domain
Invoke-ShareFinder –Verbose
Find sensitive files on computers within domain
Invoke-FileFinder –Verbose
Get all file servers of domain
Get-NetFileServer
GPO / OU
Get list of GPO in current domain
Get-NetGPO
Get-NetGPO -ComputerName dcorpstudent1.dollarcorp.moneycorp.local
Get GPO which use restricted groups or groups.xml for interesting users
Get-NetGPOGroup
Get users which are in a local group of a machine using GPO
Find-GPOComputerAdmin –Computername dcorpstudent1.dollarcorp.moneycorp.local
Find machines where given user is a member of a specific group
Find-GPOLocation -UserName student1 -Verbose
Get OUs in a Domain
Get-NetOU -FullData
Get GPO applied on an OU
Get-NetGPO -GPOname "{AB306569-220D-43FF-B03B83E8F4EF8081}"
ACLs
Get ACLs associated with a specific object
Get-ObjectAcl -SamAccountName student1 –ResolveGUIDs
Get the ACLs associated with the specific prefix to be used for search
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose
Get the ACLs associated with the specified LDAP path to be used for search
Get-ObjectAcl -ADSpath "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
Search for interesting ACEs
Invoke-ACLScanner -ResolveGUIDs
Get the ACLs associated with the specified path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
Trusts
Domain Trust Mapping
Get-NetDomainTrust
Get-NetDomainTrust –Domain us.dollarcorp.moneycorp.local
Forest Mapping
Get-NetForest
Get-NetForest –Forest eurocorp.local
Get all domains in current forest
Get-NetForestDomain
Get-NetForestDomain –Forest eurocorp.local
Get all global catalogues for the current forest
Get-NetForestCatalog
Get-NetForestCatalog –Forest eurocorp.local
Map trusts of a forest
Get-NetForestTrust
Get-NetForestTrust –Forest eurocorp.local
Scripts
Find all machines on the current domain where the current user has local admin access (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine. Logon events for all machines, loud!)
Find-LocalAdminAccess –Verbose
Alternative: Find-WMILocalAdminAccess.ps1
Find local admins on all machines of the domain (needs administrator privs on non-dc machines). (This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.)
Invoke-EnumerateLocalAdmin –Verbose
Find computers where a domain admin (or specified user/group) has sessions. (This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine).
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Confirm admin access
Invoke-UserHunter -CheckAccess
Find computers where a domain admin is logged-in. (This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using GetNetGroupMember, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.)
Invoke-UserHunter -Stealth
PrivEsc
Unconstrained Delegation
Get-NetComputer -UnConstrained
Get-DomainUser -AllowDelegation -AdminCount
Constrained Delegation
Get-DomainUser –TrustedToAuth
Get-DomainComputer –TrustedToAuth
ASREP Roasting
Get-DomainUser -PreauthNotRequired -Verbose
Clear Passwords
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
Last updated
Was this helpful?